The CyberWire Daily Podcast 9.1.20
Ep 1164 | 9.1.20
The difference between a breach and, well, a public record. Pioneer Kitten’s lucrative bycatch. Malware gets past Gatekeeper. A gamer’s bandit economy. And happy birthday, Cyber Branch.
Transcript

Dave Bittner: An election hack that wasn't. More DDoS in New Zealand's stock exchange. A look at how Iranian cyber contractors make money as a byproduct of cyber-espionage. Malware sneaks past Apple's notarization process. The bandit economy that's grown up around Fortnite. Ben Yelin looks at how the upcoming U.S. elections could direct the nation's cybersecurity strategies. Our guest is Julian Waits from Devo with highlights from their second annual SOC Performance Report. And the U.S. Army's youngest branch celebrates a birthday.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, September 1, 2020. 

Dave Bittner: Was it a hack or just some matters of public record? We're betting public record. This morning, the Russian-language newspaper Kommersant aroused a Twitter flurry with a report that data on 7.6 million Michigan voters, as well as millions of voters in other states - Connecticut, Arkansas, Florida and North Carolina - had appeared on Russian dark web sites. The data were said to include name, date of birth, gender, date of registration, address, postal code, email, voter identification number and polling station number. 

Dave Bittner: But as Dmitri Alperovitch tweeted in an update, there's probably a lot less here than meets the eye since in many states, all that information is considered a matter of public record and can be supplied in response to ordinary information requests. So, really, nothing to see here. Let's all just move along. 

Dave Bittner: But one aspect of Kommersant's story is interesting. It says that the dark web hoods with the data on their hands were thinking of turning the information in to the U.S. State Department in exchange for a payout under the Rewards for Justice program. We doubt that will work, but give the hoods credit for thinking outside that old box, if, of course, the whole thing happened at all. 

Dave Bittner: The New Zealand Herald reports that after a good start yesterday, New Zealand's NZX stock exchange again sustained a disruptive distributed denial-of-service attack. The exchange was able to work through the attack and continue trading by deploying a range of workarounds and alternative procedures. The incident remains under investigation by GCSB and law enforcement authorities. 

Dave Bittner: We've had occasion before to mention signs that some Iranian threat actors had made an appearance in criminal markets. Security firm CrowdStrike has some new information on the development. 

Dave Bittner: CrowdStrike researchers have released a report on PIONEER KITTEN, also known as Fox Kitten or PARISITE, an Iranian threat actor believed to be a contractor providing cyber-espionage support to the government of Iran. Last month, PIONEER KITTEN was observed in various black markets, offering to sell access to compromised networks. CrowdStrike thinks this represents an attempt on the group's part at revenue diversification. 

Dave Bittner: The researchers say that PIONEER KITTEN's operations are marked by a profound reliance on exploits of remote external services that attack their target's internet-facing assets for initial access. They also see an almost total reliance on open-source tooling during operations. 

Dave Bittner: PIONEER KITTEN is especially interested in VPN and network appliance exploits, notably CVE-2019-11510, CVE-2019-19781 and, most recently, CVE-2020-5902. CrowdStrike thinks that this particular bent lends itself to opportunistic attacks. 

Dave Bittner: Finally, PIONEER KITTEN relies on SSH tunneling achieved with open-source tools like ngrok and a custom tool, SSHMinion, to establish communication with implants and keyboard activity through a Remote Desktop Protocol. 

Dave Bittner: PIONEER KITTEN's espionage targets have, for the most, part been in Israel or North America. The sectors they've been seen hitting include technology, government, defense, health care, aviation, media, academic, engineering, consulting and professional services, chemical, manufacturing, financial services, insurance and retail. The network access they're selling appears to be just bycatch of their espionage take, which is to be expected given the threat group's opportunistic mode of operation. ZDNet observes that the biggest customers of such initial access brokers tend to be ransomware gangs. 

Dave Bittner: TechCrunch reports that Apple's well-regarded notarization process designed to help its gatekeeper to exclude malware from its App Store has permitted some malware to slip into approved software. The malware in question was disguised as an Adobe Flash installer. That's a common enough design for malware, but the point is that earlier Flash exploits had been kept out of the notarized walled garden of Apple's App Store. 

Dave Bittner: Security firm Malwarebytes this morning argued that this ought to shake Mac users out of security complacency. Mac security is good, but, like everything else, it's not infallible. 

Dave Bittner: Night Lion Security has taken a look at the ways in which cybercriminals monetize exploitation of online games like Fortnite. It amounts in the aggregate to a billion-dollar black market in accounts and in-game commodities. Fortnite, Roblox and Minecraft are among the most popular targets, and some well-known gangs are involved in the criminal trade, including the Gnosticplayers and the Shiny Hunters. 

Dave Bittner: The underground market is as sophisticated as such criminal economies often are. Distributors sell to resellers, who then sell to consumers. Some resellers maintain their own gray market shops. 

Dave Bittner: The sale of accounts is obvious, but what kinds of in-game purchases are in demand? Skins, mostly - that is, the appearance of the characters you use as your avatar. Maybe you want Joker makeup, a sombrero and a cocktail dress worn with a pair of UGGs. I'm not saying you would, but it might be something someone would like. Anyhoo, if you're unclear on the concept of a skin, ask any middle schooler. 

Dave Bittner: And finally, today is the sixth birthday of the U.S. Army's Cyber Branch. The Army describes its youngest tribe as a maneuver branch with the mission to conduct defensive and offensive cyberspace operations. Cyber is the only branch designed to directly engage threats within the cyberspace domain. So congratulations and happy birthday to Uncle Sam's cyber warriors. As they say around Fort Gordon, defend, attack, exploit. And we'll add, best wishes, Cyber Branch. Thanks for your service. Stay safe, and good hunting. 

Dave Bittner: The team at real-time analytics firm Devo recently released the second annual version of their SOC Performance Report. Julian Waits is GM of Devo's cyber Business Unit, and he joins us with highlights from the report. 

Julian Waits: When we originally started the report, it was because, over and over again, we'd go into large corporations or large government entities, we talked to the security analysts, and in general, they all seemed to really not like their jobs much. In the field that you would think is very exciting with the amount of things that change, especially with cyberdefense, you know, defending your corporation or country - what have it - you would think people would be more enthused about their work. And what we found over and over again is there were just so many issues that start with, you know, internal politics but really leans itself more to just people being overworked. The process is not defined well. Way too many tools. And this constant fear of, you know, what am I missing because of lack of visibility into everything that's going on in their environment. 

Dave Bittner: Well, let's go through some of the details together. Can you share some of the insights from the report? 

Julian Waits: Sure. So, you know, I just touched on one of them. One of the things the report talked about was, you know, 70% of the people that we surveyed complained of a lack of visibility into their IT infrastructure. And that number last year was 65%. So rather than decreasing, it's actually increasing. 

Julian Waits: Another 64% of the respondents talked about internal turf battles, generally between the security group and the IT group. Who owns what? Who's responsible for what? You know, in general, security groups are responsible for defining the policies around how things are configured in the environment, but the IT group is responsible for changing the configuration. If the security group says, hey, we need to patch these servers, but the patch doesn't get done and there's a breach, well, whose fault is that, right? So there's just a lot of confusion. 

Dave Bittner: Is there a certain amount of resignation that this is a position that's going to be tough, that's going to be stressful and, you know, as a result, people are going to just sort of flow through? 

Julian Waits: Correct. So I would tell you, overwhelmingly, when I talked to many chief information security officers and senior security executives, it's kind of understood before they start - hey, I'll get a group of people in, maybe even provide them a certain level of training for 18 months to two years and then, you know, they're going to be able to get a better job which pays more than what I'm going to be able to pay. And so I'm basically training them for a while, understanding that it's going to be a very hectic environment 'cause they're constantly rotating, especially through - you know, there's three tiers of SOC analysts, where tier three is the most advanced - you know, your threat hunters. And the goal is to get those tier one people as close to tier three as you can. 

Julian Waits: And the more forward-looking CISOs are the ones who try and be creative about, how am I going to keep these people once they have the knowledge to be able to go somewhere else and potentially get more money? And I've seen some things that have worked very well, like rotation around multiple disciplines within the SOC because there's so many different things that people can do and learn from. But it is a well-accepted problem, and I wish the industry would change on that. 

Dave Bittner: That's Julian Waits from Devo. 

Dave Bittner: And joining me once again is Ben Yelin. He is from the University of Maryland Center for Health and Homeland Security, also my co-host over on the "Caveat" podcast. Ben, always great to have you back. 

Ben Yelin: Good to be with you again, Dave. 

Dave Bittner: I want to talk about this article written by Eric Geller over on Politico. Eric always does good work over there. And it's titled "Biden Prepping to Ramp Up U.S. Cyber Defenses - While Keeping Some Trump Policies." I mean, we are hot and heavy into the campaign mode here. Both parties have had their conventions, and this is really an outline of what Joe Biden's planning on doing when it comes to cyberdefenses. What's your analysis here, Ben? 

Ben Yelin: Well, first, I was looking for the sentimental video at one of these conventions on cybersecurity issues, and I just didn't find it. 

Dave Bittner: (Laughter) Right. 

Ben Yelin: I wanted to be shedding some tears here, but apparently, that's not what gets the eyeballs. 

Dave Bittner: The fields of flowing wheat and the sun rising over the server farms or (laughter)... 

Ben Yelin: Yeah, the dramatic music - yeah. We just... 

Dave Bittner: Right. 

Ben Yelin: We were... 

Dave Bittner: Right. 

Ben Yelin: ...Not lucky enough to get that. 

Dave Bittner: OK. 

Ben Yelin: And that gets to an actually serious point, which is that cybersecurity as a policy issue is pretty under the radar. And, you know, I think that's the nature of the campaign. This is a campaign happening during several crises. We have the coronavirus crises, the economic crises emerging from that coronavirus pandemic and then, obviously, the past few months, these protests related to police violence. So it's just been an issue that hasn't gotten the full attention of the political press. 

Ben Yelin: But it seems like behind the scenes, the former vice president is preparing a team of partially veterans from the Obama administration but some private sector players to develop his own cyber policy. A lot of what he's proposing to do isn't actually that different from what the Trump administration has done over the past four years. You know, I think a lot of the Trump administration's cyber policies have been, you know, nominally nonpartisan. 

Dave Bittner: Right. 

Ben Yelin: I think, you know, the directive that gave the military greater authority to hack our adversaries, that's not something that the former vice president would get rid of. In terms of personnel, I think a Biden administration would make some changes. They'd probably restore the key White House cybersecurity post that we saw in the Obama years. 

Dave Bittner: Right. 

Ben Yelin: You know, and in some of the policy plans, which you really have to dig deep into his website to get, they talk about some of their more specific proposals. Imposing substantial and lasting costs on countries that interfere with our elections was one of the examples. You know, defending against attacks that would impact our economy, our critical infrastructure, national security, et cetera. So you see the hints of, you know, sort of a cohesive cybersecurity agenda. 

Ben Yelin: You know, in terms of the Trump-Biden contrast, I'm not sure the discrepancy in their viewpoint on this issue is as wide as it is in other political areas. 

Dave Bittner: Right. 

Ben Yelin: But certainly, there might be a reordering of priorities. 

Dave Bittner: Yeah. I mean, that's the thing here, is that, to me, cybersecurity is really something that has unusual bipartisan support in these days, right? It's really - it's not very controversial, so there's not a whole lot of fighting to be done over it. There's not a lot of - I don't know - political points to be scored by having differences of opinion. It seems like everybody pretty much agrees that this is an issue. 

Ben Yelin: Yeah. I mean, I'd put one warning there in that things can become polarized very quickly. If people you don't like politically take a stand on an issue, your natural instinct is going to, you know, be to take the opposite position. We saw that politicization this summer with mask wearing. We've seen it with all other types of issues, where it seems like they are nominally nonpartisan, but they can... 

Dave Bittner: Right. 

Ben Yelin: ...Become partisan in certain circumstances. So, you know, I'm always watching out for that. And certainly, some aspects of cybersecurity policy, particularly related to election interference, have been caught up in partisan warfare. 

Ben Yelin: But you're right. In terms of, you know, the meat and potatoes of our cybersecurity policy, you know, going after - more proactively after our adversaries, protecting our critical infrastructure, those are things that you really do see a lot of bipartisan support for. 

Dave Bittner: Yeah, I wonder if we'll see more stability with some of these positions. It seems like the folks in cybersecurity positions at the White House and at that level, it's sort of been like the Defense Against the Dark Arts teacher. There's, you know, a lot of turnover there. 

Ben Yelin: Yes, there always is a lot of turnover. You know, I think a lot of the career folks who are in government - you look at the people at the National Security Agency. Even when we have a major ideological change in administrations, some of those career folks, or as you might call them, the deep state... 

(LAUGHTER) 

Ben Yelin: ...Are still going to be there making policy. So I think there is going to be more continuity than people might think, especially in the first couple of years of a new administration. I mean, you have this level of path dependency, where so many initiatives that are - will have come from the Trump administration would continue in a potential Biden administration just because the projects have already started. And unless, you know, you put your tentacles into all levers of the federal government to try and change policy, there is kind of a lot of inertia there. 

Dave Bittner: Yeah. 

Ben Yelin: So I think that's definitely something to look out for. 

Dave Bittner: Yeah. All right, well, again, it's article by Eric Geller. It's titled "Biden Prepping to Ramp Up U.S. Cyber Defenses - While Keeping Some Trump Policies." It's over on Politico - worth a read. Ben Yelin, thanks for joining us. 

Ben Yelin: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time, keep you informed, and it smells April fresh. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.